Вы находитесь на странице: 1из 15

h

(tps/:www.r3netc.om)

(http://sdntraining.com/?utm_source=FIR3NET&utm_medium=Banner1&utm_campaign=Ad&utm_content=Security)

Home (/) Articles (/Articles.html) Loadbalancers F5 BIG-IP (/Loadbalancers/F5-BIG-IP/)


BigIP F5 LTM - High Availability / DSC (v11.x)

BigIP F5 LTM - High Availability / DSC (v11.x)


Written on 29 July 2014. Posted in F5 BIG-IP (/Loadbalancers/F5-BIG-IP/)

One of the new features, within v11.x of the Tra c Management Operating System (TMOS) is Device Service Clustering (DSC).
Over the previous HA (High Availability) features within v10.x, i.e active-standby, connection mirroring etc., DSC also provides the
ability to perform,

multi-node clustering,
Active-Active (and Active-Standby) setup,
greater granularity over which data is synchronized
h
(tps/:www.r3netc.om)

SCOPE
Within this article we will explain the key components to DSC, the con guration steps and also the main commands used to
troubleshoot problems.

COMPONENTS
DSC is built upon 5 main components. They are,

Devices - Represents either a physical or virtual instance of a BigIP system.


Device Groups - A group of devices that synchronize and (based on the device group type) also failover their con guration.
There are 2 types of device groups,
Sync-Failover - Both the con guration data and the failover objects are synchronized ; Utilizes tra c groups (i.e failover
objects).
Sync-Only - Only the con guration data is synchronised.

Tra c Groups - A collection of failover objects (i.e virtual server, self IP) that runs on one of the devices within the (Sync-
Failover) Device Group. Should the device become unavailable the failover object is the served by the other device within the
Device Group.
Device Trust - Represents a trust relationship between devices also known as a trust domain. This is achieved via certi cate
based authentication. Device Trust is a prerequisite for both device groups and tra c groups.

Note : The initial trust of each device is performed over the management interface.

Folders - Folders contain con guration objects for the necessary partition in which they reside. This provides greater
granularity over what con guration that you decide to synchronize between devices. Both the default and the top level folder
is root.

Note : Each of these items can be located via the GUI under 'Device Management'.
h
(tps/:www.r3netc.om)

SYNCHRONIZATION
Unlike v10.x and below, TMOS v11 now uses rsync internally to perform synchronization between devices. Also unlike v10 which
used tcp/443 for synchronizing data, v11 uses tcp/4353.

The available options and also the ways in which you can issue a synchronization.

OPTIONS
The various options for synchronization can be found under 'Device Groups' and 'Devices'.

DEVICE GROUPS

Automatic Sync (via Properties Panel) - Automatically synchronize objects between devices based on the modi ed time. The
most recently modi ed object is synchronized to the other device. Because the modi ed time is used as the trigger NTP (i.e
time synchronization) must be con gured.
Full Sync (via Properties Panel) - Rather then only synchronizing the con guration objects that have been modi ed, the whole
con guration is synchronized.
Network Failover (via Failover Panel) - Determines whether a network probe is sent between the devices to ensure neighbor
h
(tps/:wcable
status. This is instead of uses ww.r3nebased
tc.om) failover*.

* As cable based failover mandates only 1 device can ever be active cable based failover doesn't support an Active-Active based
setup (i.e more then 2 tra c groups).

DEVICES

Con g Sync (via Device Connectivity) - De nes which interface is used for synchronization. Its recommended by F5 that this is a
dedicated link.
Failover (via Device Connectivity) - De nes which port is used for the network failover probes.
Mirroring (via Device Connectivity) - De nes which interfaces are used for mirroring. It is recommended that a secondary
address is also con gured to provide redundancy should the primary fail.

ISSUING A SYNC
Manual DSC synchronization can be performed via either the command line or the WebUI. To perform a manual synchronization
within the WebUI go to 'Device Management / Overview'. From this screen you will be presented with an overview of the
synchronization state across your devices and device groups.

The will also see the following options,

Sync Device to Group - Synchronizes any objects that have been recently modi ed to the other devices within the device
group.
Sync Group to Device - Synchronizes any objects that have been recently modi ed from the devices within the group.
Overwrite Con guration - When performing the above action(s) synchronize the con guration regardless of when it has been
modi ed.

DEPLOYMENT MODES
There are 2 main types of deployment modes with DSC, Active-Standby and Active-Active.

AC TIVE-STANDBY
With an Active-Standby based deployment tra c is only processed by a single device. This is achieved via single tra c group, which
h
(tps/:ww
all failover objects (virtual servers, w.r3netc.ometc)
self-ips ) reside within. This tra c group is then active on one of the nodes. Should this node
fail its HA checks the tra c group will be marked as standby and the tra c group on the other node promoted to active.

AC TIVE-AC TIVE
With an Active-Active based deployment tra c is processed by both devices. This is achieved via 2 Tra c Groups, (based on the
example below) one Tra c Group is placed as active on Node 1 and the other as active on Node 2. Your failover objects are then
assigned to either of the tra c groups, i.e Virtual Server A in tra c group 1 and then Virtual Server B in Tra c Group 2.

This results in Node 1 processing tra c for Virtual Server A, and Node 2 processing tra c for Virtual Server B.

Note : It is important to ensure that both nodes are running under 50% capacity. This ensures if either of the devices fail then at the
point all tra c is processed by the single node that the devices capacity is not reached.

h
(tps/:www.r3netc.om)

CONFIGURATION
The rst step in con guring DSC is to con gure a Trust Domain. Then we con gure the tra c groups for either a active-active or
active-standby deployment.

DEVICE TRUST

1. Goto 'Device Management' / 'Device Trust' / 'Peer List'.


2. Click 'Add'.
3. Enter the IP and credentials of the peer device.
4. Click 'Retrieve Device Information'

DEVICE GROUP

1. Goto 'Device Management' / 'Device Groups'.


2. Click 'Create'.
h
(tps/:www.r3as
3. Enter name, select 'Sync-Failover' netc.othe
m) 'Group Type', and then add all devices to the 'Included' members list.
4. Enable 'Network Failover'.

SYNCHRONIZE

1. Goto 'Device Management' / 'Overview'.


2. Click 'Sync Device to Group'.
3. Click 'Sync'.
4. Wait for the Sync Status of both devices to turn green.

Note : To con gure the IP used for Con gSync and Mirroring, along with the the IP, VLAN and Port for Network Failover go to
'Device Management' / 'Devices' / '<DEVICE NAME>' / Device Connectivity.

AC TIVE-STANDBY
Once the trust domain is con gured the oating IP for each VLAN needs to be con gured.

A SSIGN TR AFFIC GROUP 1

1. Goto 'Network' / 'Self IPs'.


2. Create a oating Self IP for each VLAN (i.e Internal and External).
3. For each self IP created con gure the 'Tra c Group' as 'tra c-group1- oating'.

In this example we will only be using a single Tra c Group, because of this any virtual servers that are created will be placed into
the default (single tra c group).

Note : Should you require MAC Masquerading, a single tra c group can still be used. However this will result in the same MAC
address being advertised for all Self-IPs within the tra c group which may complicate future troubleshooting.

AC TIVE-AC TIVE
Once the trust domain is con gured the oating IP for each VLAN needs to be con gured. Once done an additional tra c group is
also created.

A SSIGN TR AFFIC GROUP 1


1. Goto 'Network' / 'Self IPs'.
2. Create a oating Self IP forh (tpeach
s/:www.VLAN
r3netc.om)(i.e Internal and External).
3. For each self IP created con gure the 'Tra c Group' as 'tra c-group1- oating'.

CRE ATE TR AFFIC GROUP 2

1. Goto 'Device Management' / 'Tra c Groups'.


2. Create a new Tra c Group called 'tra c-group-2' using all the default settings.

DEMOTE TR AFFIC GROUP 2

1. Select 'tra c-group-2' from the list and select 'Force to Standby'.

The tra c group list will now show your current device running 1 tra c group as active and 1 tra c group as standby.

A SSIGN TR AFFIC GROUP 2

1. Via 'Local Tra c / Virtual Servers / Virtual Address List' select the Virtual Server that you want to assign to 'tra c-group-2'.
2. Via 'Local Tra c / Virtual Servers / Virtual Server List' select your Virtual Server. Within the tra c group section select 'tra c-
group-2'.

ENABLE SNAT

1. Under 'Source Address Translation' select Automap*.

Once complete the default tra c-group will be active on one node and tra c-group-2 will be active on the node.

*As the SelfIP is assigned to tra c-group-1 without Automap the tra c would be sent through the wrong device.

VE ISSUES
When con guring DSC on Virtual LTMs (when using the steps above) you may nd that both sides show as disconnected. I have
only found this in the lab for VE devices on both v11.4 and v11.5.

To resolve this you will need to change each of the devices certi cates to a self-signed certi cate and also perform the steps in a
slighty di erent order.
STEPS
h
(tps/:www.r3netc.om)
Below provides a summary of the required steps.

1. Generate new self signed cert for each device - Goto Device Management / Device Trust / Local Domain. Select Generate New
Self-Sign Authority.
2. Create Sync Interface - Create a new VLAN that will be used for synchronization, mirroring, and network failover on both
devices.
3. Con gure Con gSync/Mirroring - Con gure the interfaces that will be used for mirroring, con g sync and network failover on
both devices.
4. Con gure Device Group - Create a Sync-Failover device group on Node 1 and only add local device. Enable Network Failover.
5. Con gure Trust - On Node 1 con gure the Trust Domain.
6. Update Device Group - On Node 1 add the remote peer to the device group.
7. Tra c Group Assignment - Assign the tra c groups accordingly.
8. Synchronize - One Node 1 perform an initial synchronization via Sync Device to Group in "Device Management' / 'Overview".

TROUBLESHOOTING
CHECKS
If your are facing issues with your HA setup, the following should be checked,

Verify NTP is working correctly.


Check connectivity between peer addresses.
Check Self IPs used as peer addresses reside in route domain 0.
Ensure the following protocols/ports are permitted between nodes. Note : No matter which Port lockdown setting used these
ports are permitted.
UDP/1026 (network failover)
TCP/1028 (connection & persistence mirroring)
TCP/4353 (CMI peer communication)
Reset and Rebuild your Trust Domain.

COMMANDS
tmsh run /cm h
(tps/:www.r3netc.om)
sniff-updates
tmsh run /cm config-sync
tmsh run /cm watch-devicegroup-device
tmsh run /cm watch-sys-device
tmsh run /cm watch-trafficgroup-device

tmsh show /cm traffic-group


tmsh show /cm sync-status

REFERENCES
http://support.f5.com/kb/en-us/solutions/public/13000/900/sol13946.html (http://support.f5.com/kb/en-
us/solutions/public/13000/900/sol13946.html)

12 Comments Fir3net.com
1 Login

Sort by Newest
Recommend Share

Join the discussion

LOG IN WITH
OR SIGN UP WITH DISQUS ?

Name

Tarun Singh 2 years ago


I am still not able to configure HA on VE. Both VE getting disconnected as soon as i add peer to trust domain. i am using 11.3
version and i followed the steps provided by you for VE. Please help me creating HA for VE and troubleshoot it.

Thanks,

Tarun
Reply Share

Dinesh Kumar > Tarun Singh 2 years ago


Dear,
Dear,

There is bug inh


(VE
tps/:www.r3innetc.o
but m) scenario its working perfectly.
real
Reply Share

Felix001 > Tarun Singh 2 years ago


Can you ensure both units are using 2048bit keys. If not recreate via CLI and ensure there are no 1024bit keys in use. If
this is still presenting an issue, reset both boxes back to default.
Reply Share

guest1234 2 years ago


Hello,

What if the peer VLAN has gone down and both f5 boxes are in standby mode. Is there any workaround for the F5 HA feature
that when the pool is not reachable for both devices, not to make the 2 boxes enter the standby mode.
Reply Share

Felix001 > guest1234 2 years ago


Try HA groups.
Reply Share

guest123 2 years ago


hi can we configure high availability between a hardware and a VM bigip LTM ? thank you
Reply Share

Felix001 > guest123 2 years ago


Yep as long the software versions are the same your be fine
Reply Share

guest123 > Felix001 2 years ago


thank you for your reply.. can i use any BigIP Virtual edition with any bigIP hardware box ?
Reply Share

cnoyes72 3 years ago


I get "This device is not found" when trying to add the peer unit's management IP to the peer list. From the CLI I can ping it so
I'm not sure what the problem could be.
Reply Share
Vijay 3 years ago h
(tps/:www.r3netc.om)
Thanks...good to watch about F5.. iam just a beginner
Reply Share

stfu 3 years ago


Early in the article the port for syncing data is not correct - should be 4353.
Reply Share

Felix001 > stfu 3 years ago


Great. Thanks for letting me know. This has been updated.
Reply Share

Subscribe d Add Disqus to your siteAdd DisqusAdd Privacy

back to top
Tags: BIG-IP F5 (/tag/19-big-ip-f5.html), DSC (/tag/79-dsc.html)

(http://www.dmca.com/Protection/Status.aspx?ID=bf4475b8-9010-4516-a707-

6cfbe96736e7&refurl=https://www. r3net.com/Loadbalancers/F5-BIG-IP/bigip-f5-ltm-high-availability-v11x-dsc.html)
-21% -40%
h
(tps/:www.r3netc.om)

RP 190.000 RP 1.325.900
-50% -55%

RP 229.500 RP 179.550
-50% -30%

RP 229.500 RP 349.650
-20% -50%

RP 399.600 RP 229.500
-21% -40%
h
(tps/:www.r3netc.om)

RP 190.000 RP 1.325.900

-21% -40%

-50% -55%

-50% -30%
h
(tps/:www.r3netc.om)

(http://www.host-tracker.com)

Оценить